Use authentication code grant instead of password grant. #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this do?
This changes the way that tokens are retrieved from the services layer when logging in. The OAuth authorization code grant is now used, instead of the password grant. In order to support this, the session configuration now accepts the new properties:
authCode
codeVerifier
redirectUri
The
username
andpassword
properties, used to support the password grant, no longer have any effect.This library is only responsible for obtaining a token, given an authorization code. Obtaining the authorization code should be done outside of this library.
Why are we doing this? (with JIRA link)
CSpace 8.0 upgrades Spring Security to 5.3, and uses Spring Authorization Server instead of the Spring OAuth2 plugin. These upgrades drop support for the OAuth password grant (which has been removed from the latest versions of OAuth). The recommended approach for web apps is to use the authorization code grant.
How should this be tested? Do these changes have associated tests?
This can be tested together with CSpace 8.0 and cspace-ui 9.0. Log in should continue to work with this combination.
Some unit tests still need to be written. These will be in a separate PR.
Dependencies for merging? Releasing to production?
None.
Has the application documentation been updated for these changes?
n/a
Did someone actually run this code to verify it works?
@ray-lee ran this against a local CSpace 8.0 server.